In recent years, Software-as-a-Service (SaaS) has emerged as a viable application delivery method, and most enterprises are now including some SaaS software in their portfolios. SaaS saves IT infrastructure and maintenance costs, not to mention the hassle of initial deployment, integration and customization common with licensed software. Organizational functions such as sales, marketing, customer service, HR and others may request to subscribe to hosted software. If you have concerns around the security of cloud computing, you are certainly not alone.
SaaS brings with it a unique set of challenges for Chief Information Security Officers. The most important shift is looking at your software vendor not as a product company, but rather as a service provider. Sound vendor management practices dictate that any third-party software is at least as secure as in-house packages. Be certain you are trading lost visibility and control in exchange for auditable security assurances.
Forrester Research cautions companies considering using cloud-based services to gain a clear understanding of the security, privacy and legal consequences before contracting with any service provider.
It’s 8 a.m. Do you know where your data is?
Let’s assume — for the sake of argument— that your data is currently isolated behind the walls of your enterprise where it’s under your control. When you convert to SaaS, your data will be transported across the Internet to the SaaS vendor site. If their application is not secure, your critical business information will potentially be exposed to anyone who can take advantage of such a vulnerability.
Too many SaaS vendors see their services as a “black box.” As their customer, you accept the services provided and trust the vendor to guard your information appropriately. Unfortunately, Internet security breaches are all too common. Customer and employee records, credit card numbers and other confidential data are subject to compromise through theft or accident at any time. SaaS vendors are not immune to these threats.
Unfortunately, some SaaS vendors who become aware of a security flaw in their service may not immediately patch it. If a security fix can be made on their server without a client patch being necessary, some vendors may never alert you that there was a problem at all. It is always possible that unpublicized bugs can be exploited in zero-day attacks before server-side fixes can be made.
Of course, many SaaS providers rise to the challenges of providing secure and reliable cloud-based services. However, as the person responsible for the security of your enterprise data, you need more than faith as assurance that they will follow through on their best intentions.
What’s a CISO to do?
The CHECKLIST – when negotiating terms with a SaaS vendor:
- Review the vendor’s service history, obtain customer references and ask them about their experiences with the vendor’s concern for privacy, reliability and security vulnerabilities.
- Be certain that application and infrastructure security requirements are written into your contract with any SaaS provider. Include an audit clause whereby you or a third-party can periodically verify that the required controls are in place.
- Get a solid Service Level Agreement. An SLA requires that the vendor provide a specified level of system reliability. A good vendor will strive for performance that meets Six Sigma levels of service quality (e.g., 99.9997% of security patches made within a set number of hours, not days, after public disclosure).
- Do not accept a policy of making silent fixes to their service. Demand notice from the vendor when security fixes are made. Specify in the SLA that you as the CISO are to be notified directly about these reports.
- Insist that the vendor’s own software development process adheres to a robust software development life cycle model that includes tollgates that check for secure coding standards. Request that a description of the process be appended to the SLA.
- Carefully examine the vendor’s policies for data recovery in the event you decide to terminate the service. Be certain that you know how long it will take to retrieve your data as well as how long it will take them to make it inaccessible online.
- Maintain strong encryption standards and key management for data transmission between your site and the vendor site.
- Be certain that your users are not the weak link in the security chain. Specify which web browsers can be used to access services, and stay on top of browser security issues and updates.
- Control domain access as well as where and when services can be accessed by your users.
- If possible, be certain that they must first login to your network to access corporate information on the SaaS vendor site.
- Always maintain ownership of domain names that you provide to clients. That way, if you terminate a vendor relationship, you will not have to retrain your clients on the correct URL to use to find you.